ExchangeCve-2021-26855
Windowsv1
Author: Dennis Reneau
description
Exchange Server Vulnerability *.Compiled Files
paths
4 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: ExchangeCve-2021-26855
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle artifact collection with robocopy
function Collect-Artifact {
param (
[string]$SourceDir,
[string]$FolderName,
[string]$FileMask = "*"
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}
# 1. Exchange Server Modified Compiled Files
Collect-Artifact -SourceDir "C:\Windows\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files\" -FileMask "Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled" -FolderName "Exchange_Server_Modified_Compiled_Files"
# 2. Exchange Server Modified Compiled Files
Collect-Artifact -SourceDir "C:\inetpub\wwwroot\aspnet_client" -FileMask "Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled" -FolderName "Exchange_Server_Modified_Compiled_Files"
# 3. Exchange Server Modified Compiled Files
Collect-Artifact -SourceDir "C:\inetpub\wwwroot\aspnet_client\system_web\" -FileMask "Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled" -FolderName "Exchange_Server_Modified_Compiled_Files"
# 4. Exchange Server Modified Compiled Files
Collect-Artifact -SourceDir "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\" -FileMask "Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled" -FolderName "Exchange_Server_Modified_Compiled_Files"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1